I have a pix 525 ver 6.3(2) I have some consultants who want me to allow them to vpn out of network to their vpn concentrator 3000. (Which I have very little information about)What ports to I open to allow this?
Use Client Address; Check this box to let the client specify its own IP address. For maximum security, we recommend that you control IP address assignment and not use client-specified IP addresses. Do not check only this box if you are using IPSec, since IPSec does not allow client-specified IP addresses.
Make sure the setting here is consistent with the setting for Use Client Address on the PPTP/L2TP Parameters tab on the User Management | Base Group screen. A different Use Client Address setting for specific groups and users overrides the setting here and on the base group screen.
I am not sure if this command is implemented in 6.3.2
but try on CLI if it exists.
fixup protocol esp-ike
The fixup protocol esp-ike command enables PAT for Encapsulating Security Payload (ESP), single tunnel.
The fixup protocol esp-ike command is disabled by default. If a fixup protocol esp-ike command is issued, the fixup is turned on, and the firewall preserves the source port of the Internet Key Exchange (IKE) and creates a PAT translation for ESP traffic. Additionally, if the esp-ike fixup is on, ISAKMP cannot be turned on any interface.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...